Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:

Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:

# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db

# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db

+

{{Warning|The above command gives the wrong impression that db_load hashes the passwords. A user with read access to the database file will be able print out the passwords back onto the terminal like so

+

# strings /etc/vsftpd_login.db

+

which demonstrates that db_load does NOT hash the passwords.}}

It is recommended to restrict permissions for the now created {{ic|vsftpd_login.db}} file:

It is recommended to restrict permissions for the now created {{ic|vsftpd_login.db}} file:

Installation

See the xinetd section below for procedures to use vsftpd with xinetd.

Configuration

Most of the settings in vsftpd are done by editing the file /etc/vsftpd.conf. The file itself is well-documented, so this section only highlights some important changes you may want to modify. For all available options and documentation, one can man vsftpd.conf (5). Files are served by default from /srv/ftp.

Enabling uploading

The WRITE_ENABLE flag must be set to YES in /etc/vsftpd.conf in order to allow changes to the filesystem, such as uploading:

write_enable=YES

Local user login

One must set the line to /etc/vsftpd.conf to allow users in /etc/passwd to login:

local_enable=YES

Anonymous login

The line in /etc/vsftpd.conf controls whether anonymous users can login:

# Allow anonymous login
anonymous_enable=YES
# No password is required for an anonymous login
no_anon_password=YES
# Maximum transfer rate for an anonymous client in Bytes/second
anon_max_rate=30000
# Directory to be used for an anonymous login
anon_root=/example/directory/

Chroot jail

One can set up a chroot environment which prevents the user from leaving its home directory. To enable this, add the following lines to /etc/vsftpd.conf:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

The chroot_list_file variable specifies the file which contains users that are jailed.

For a more restricted environment, one can specify the line:

chroot_local_user=YES

This will make local users jailed by default. In this case, the file specified by chroot_list_file lists users that are not in a chroot jail.

Limiting user login

It's possible to prevent users from logging into the FTP server by adding two lines to /etc/vsftpd.conf:

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list

userlist_file now specifies the file which lists users that are not able to login.

If you only want to allow certain users to login, add the line:

userlist_deny=NO

The file specified by userlist_file will now contain users that are able to login.

Limiting connections

One can limit the data transfer rate, number of clients and connections per IP for local users by adding the information in /etc/vsftpd.conf:

local_max_rate=1000000 # Maximum data transfer rate in bytes per second
max_clients=50 # Maximum number of clients that may be connected
max_per_ip=2 # Maximum connections per IP

You will be asked a lot of Questions about your Company etc., as your Certificate is not a trusted one it doesn't really matter what you fill in. You will use this for encryption! If you plan to use this in a matter of trust get one from a CA like thawte, verisign etc.

edit your configuration /etc/vsftpd.conf

#this is important
ssl_enable=YES
#choose what you like, if you accept anon-connections
# you may want to enable this
# allow_anon_ssl=NO
#choose what you like,
# it's a matter of performance i guess
# force_local_data_ssl=NO
#choose what you like
force_local_logins_ssl=YES
#you should at least enable this if you enable ssl...
ssl_tlsv1=YES
#choose what you like
ssl_sslv2=YES
#choose what you like
ssl_sslv3=YES
#give the correct path to your currently generated *.pem file
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
#the *.pem file contains both the key and cert
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem

Dynamic DNS

Make sure you put the following two lines in /etc/vsftpd.conf:

pasv_addr_resolve=YES
pasv_address=yourdomain.noip.info

It is not necessary to use a script that updates pasv_address periodically and restarts the server, as it can be found elsewhere!

Note: You won't be able to connect in passive mode via LAN anymore. Try the active mode on your LAN PC's FTP client.

Port configurations

Especially for private FTP servers that are exposed to the web it's recommended to change the listening port to something other that the standard port 21. This can be done using the following lines in /etc/vsftpd.conf:

listen_port=2211

Furthermore a custom passive port range can be given by:

pasv_min_port=49152
pasv_max_port=65534

Configuring iptables

Often the server running the FTP daemon is protected by an iptables firewall. To allow access to the FTP server the corresponding port needs to be opened using something like

There are some kernel modules needed for proper FTP connection handling by iptables that should be referenced here. Among those especially ip_conntrack_ftp. It is needed as FTP uses the given listen_port (21 by default) for commands only; all the data transfer is done over different ports. These ports are chosen by the FTP daemon at random and for each session (also depending on whether active or passive mode is used). To tell iptables that packets on ports should be accepted, ip_conntrack_ftp is required. To load it automatically on boot create a new file in /etc/modules-load.d e.g.:

# echo ip_conntrack_ftp > /etc/modules-load.d/ip_conntrack_ftp.conf

If you changed the listen_port you also need to configure the conntrack module accordingly:

Tips and tricks

PAM with virtual users

Using virtual users has the advantage of not requiring a real login account on the system. Keeping the environment in a container is of course a more secure option.

A virtual users database has to be created by first making a simple text file like this:

user1
password1
user2
password2

Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:

# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db

Warning: The above command gives the wrong impression that db_load hashes the passwords. A user with read access to the database file will be able print out the passwords back onto the terminal like so

# strings /etc/vsftpd_login.db

which demonstrates that db_load does NOT hash the passwords.

It is recommended to restrict permissions for the now created vsftpd_login.db file:

# chmod 600 /etc/vsftpd_login.db

Warning: Be aware that stocking passwords in plain text is not safe. Don't forget to remove your temporary file with rm logins.txt.

PAM should now be set to make use of vsftpd_login.db. To make PAM check for user authentication create a file named ftp in the /etc/pam.d/ directory with the following information:

Now it is time to create a home for the virtual users. In the example /srv/ftp is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make /srv/ftp its home:

# useradd -d /srv/ftp virtual

Make virtual the owner:

# chown virtual:virtual /srv/ftp

Configure vsftpd to use the created environment by editing /etc/vsftpd.conf. These are the necessary settings to make vsftpd restrict access to virtual users, by user-name and password, and restrict their access to the specified area /srv/ftp: